Thrice Is Nice: Ukraine In Review
- 9. Lots Of Bad Stuff
Only Three KNOWN
Power Sector Incidents
2015: BlackEnergy3-
Facilitated Event
2016: Industroyer
Destructive Attempt
2022: Industroyer2
Disruption (?) Attempt
- 11. Compromise
IT Network
•Phishing With
Malicious Docs
•Use Of BlackEnergy3
To Facilitate
Operations
Enter OT
Environment
•Credential
Harvesting & Replay
•OT Asset Access
Induce
Disruption
•"SCADA Hijack" &
"Phantom Mouse"
•Wiper Deployment
•UPS & Serial-To-
Ethernet Disruption
- 12. Prykarpattyaoblenergo
• KillDisk Wiper
• Serial-To-Ethernet
Attack
• Call Center Disruption
• UPS Shutdown For
Telecom PBX
Kyivoblenergo
• KillDisk Wiper
• Serial-To-Ethernet
Attack
• Call Center Disruption
• UPS Shutdown
Chernivtsioblenergo
• KillDisk Execution
• Serial-To-Ethernet
Attack
- 13. Post-Disruption Attack Operator Impact & Implications
KillDisk Wiper Remove System Monitoring & Control
Equipment From Use; Delay & Inhibit Remote
Recovery
Serial-To-Ethernet Firmware Modification Eliminate Ability To Control Or View Equipment
UPS Modification Induce Outages And Loss Of Resiliency, Further
Inhibit Recovery
Telephone DoS Induce Panic In Customer Base; Inhibit Ability To
Scope Outage
- 14. • Months Of Preparation
• Very "Manual" Attack – Multiple Teams Acting
Simultaneously?
Execution
• Loss & Denial Of Control
• Targeting Visibility & Recovery
Impact
• UA Operators Rapidly Moved To Manual Operations
• Disruptive, And Full Recovery Took A LONG Time -
But Not As Bad As It Could Have Been!
Result
- 16. Compromise Data Historians To Enable Access
To Control Network
Push CRASHOVERRIDE To SCADA/DCS Devices,
Schedule Execution Via Service
Execute CRASHOVERRIDE To Open Breakers
Wipe SCADA/DCS Devices Via Service Re-
Mapping, File Deletion
Shut Down Protective Relays Via Denial-Of-
Service Attack
- 17. Compromise Data Historians To Enable Access
To Control Network
Push CRASHOVERRIDE To SCADA/DCS Devices,
Schedule Execution Via Service
Execute CRASHOVERRIDE To Open Breakers
Wipe SCADA/DCS Devices Via Service Re-
Mapping, File Deletion
Shut Down Protective Relays Via Denial-Of-
Service Attack
INTEDED BUT
(M
OSTLY) FAILED!
- 21. Open Breakers To
Interrupt Service
Anticipate Rush To
Service Restoration
Based On 2015
Event
Remove Line
Protection Via
Relay DoS
Enable Potential
Destructive Impact
On Manual
Reconnect
- 22. Based On Deployed Capabilities And
Sequence, 2016 Was Likely An Attempt At
A Destructive Event!
- 25. Control System Communications Not
Properly Implemented
Evidence Of "Rushed Development"
In Industroyer Modules
Siprotec Relay DoS Not Properly
Developed, Deployed
- 34. CaddyWiper
•Deployed On ICS
Workstations
•Similar To KillDisk
Deployment In 2015,
Wiper Element In
2016
ORCSHRED/
SOLOSHRED/
AWFULSHRED
•Linux & Solaris-
Focused Wipers
•Use "shred” Or “dd”
Commands, Stops
Critical Services
•Extends Disruption
Across Environment
- 35. • Much Larger Scale Than 2016
• Closer To 2015 In Targeting Multiple Sites Simultaneously
• Automated Execution & Deployment Like 2016?
Scale
• Significant Deployment Of Wipers Across Multiple
System Types
• Catalog Of KNOWN Capabilities Indicates Disruptive-Only
Event
Impact
Scenario
• IEC-104 Payload Seems Like It Would Have Worked!
• Learning From 2016 Mistakes
• Intervention Prevented Impact Scenario
Success
- 41. Based On Analysis Of Available Data,
NONE Of The Targeted Attacks On Ukraine
Electric Entities Worked As Planned
- 42. 2015: Rapid Manual Restoration Resulted In
Limited Outage
2016: Various Technical Errors Resulted In
Limited Outage, Failed Destructive Event
2022: Rapid Info Sharing And Coordination
Enabled Identification And Prevention Of Event
- 51. Our Visibility Is Limited To Tools
(Malware) & Impacts (What Is
Reported)
Multiple Teams - Operators,
Developers, Others - May Be Involved!
Links Between Events May Highlight
More Complex Relationships Than
What Our Visibility Shows!
- 55. Cyber Events Are VERY Real
Ukraine Is Both A Lesson AND
An Example For Us All!
Operational Resilience And
Flexibility Are Critical!
- 56. References and Resources
• Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS & E-ISAC (https://ics.sans.org/media/E-
ISAC_SANS_Ukraine_DUC_5.pdf)
• Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies – David E. Whitehead, Kevin Owens, Dennis
Gammel, and Jess Smith, Schweitzer Engineering Laboratories
(https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6774_UkraineCyber_DEW_20170130_Web7.pdf?v=2019101
4-184954)
• CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Joe Slowik, Dragos
(https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf)
• WIN32/INDUSTROYER A New Threat for Industrial Control Systems – Anton Cherepanov, ESET (https://www.welivesecurity.com/wp-
content/uploads/2017/06/Win32_Industroyer.pdf)
• Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Joe Slowik, Dragos
(https://www.virusbulletin.com/virusbulletin/2019/03/vb2018-paper-anatomy-attack-detecting-and-defeating-crashoverride/)
• Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial Environments – Joe
Slowik, Dragos (https://www.dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf)
• Industroyer2: Industroyer Reloaded – ESET Research (https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-
reloaded/)
• Industroyer2 IEC-104 Analysis – Erik Hjelmvik, Netresec (https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-
IEC-104-Analysis)
• Industroyer2 In Perspective – Joe Slowik, Stranded On Pylos (https://pylos.co/2022/04/23/industroyer2-in-perspective/)
• GREYENERGY: A Successor to BlackEnergy – Anton Cherepanov, ESET (https://www.welivesecurity.com/wp-
content/uploads/2018/10/ESET_GreyEnergy.pdf)
• New TeleBots Backdoor: First Evidence Linking Industroyer to NotPetya – Anton Cherepanov & Robert Lipovsky, ESET
(https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/)
• Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in
Cyberspace – US Department of Justice (https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-
deployment-destructive-malware-and)